Thomas Daniels
This week, a wave of sophisticated crypto address‑poisoning scams swept through the market, leading to over $1.6 million in losses for unsuspecting users—surpassing the total losses recorded for the entire month of March.
A notable case on Friday involved a user who inadvertently transferred 140 Ether (ETH), worth approximately $636,500, to a spoofed address inserted into their wallet history. According to scam monitoring platforms, the user’s transaction history had been “flooded with poison addresses,” making the attack a matter of time.
In a separate incident on Sunday, another victim lost $880,000, while others reported individual losses of $80,000 and $62,000. Combined, these incidents mark a sharp escalation in address-poisoning activity, highlighting the method’s growing effectiveness.
Address poisoning works by sending tiny transactions from addresses that closely resemble those in a victim’s contact list or transaction history. When users rely on past transactions to copy addresses, they risk selecting the attacker’s subtly altered address. This manipulation turns everyday copy-paste actions into vulnerabilities.
Web3 security firms explain that these attackers strategically embed “lookalike” addresses to appear legitimate, preying on users who do not verify the full string of the recipient’s address. As a result, the victim unknowingly sends funds to the attacker’s wallet.
This week also saw at least $600,000 in losses attributed to malicious signature attacks, in which victims were tricked into signing harmful smart contract operations such as “approve,” “increaseAllowance,” and “permit.” In one case, a user lost $165,000 worth of tokens after signing a deceptive signature request.
Security analysts are urging users to adopt protective measures, including using address books or whitelisting known wallets and always verifying the entire address before initiating a transaction.
These attacks underscore a troubling reality: the very interface and convenience of blockchain wallets can be turned against users. With no recourse once a transaction is confirmed, the crypto community must remain vigilant and proactively defend against evolving threats.
